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I.  Introduction  and  Motivation. 


This  paper  advances  two  aspects  of  the  study  of  the  properties  of  computer  programs  - the 
sclentincally  motivated  search  for  general  theorems  that  permit  deducing  properties  of  programs 
and  the  engineering  problem  of  replacing  debugging  by  computer-assisted  computer-checked 
proofs  that  programs  have  desired  properties.  Both  tasks  require  mathematics,  but  the  second 
also  requires  keeping  a non-mathematkal  goal  in  mind  - getting  short  completely  formal  proofs 
that  are  easy  to  write  and  check  by  computer. 


A pure  Lisp  style  recursive  program  P defines  a partial  function  /p.  By  adjoining  an 
undefined  element  i (read  ’bottom*)  to  the  data  domains, /p  may  be  extended  to  a total  function 
which  we  denote  by  the  same  symbol.  In  (Cartwright  1976),  It  was  shown  that  /p  satisfies  a 
functional  tquallen.  which  is  a sentence  in  a first  order  theory  Tp.  Besides  the  functional 
equation,  Tp  contains  symbols  for  the  basic  functions,  predicates  and  constants  of  the  data 
domain,  axioms  for  the  data  domain  and  its  extension  by  1,  and  additional  function  symbols  for 
the  functions  defined  by  recursive  programs.  (Cartwright  1976)  also  showed  how  the  functional 
equation  can  be  used  to  prove  facts  about  the  program  by  reasoning  within  Tp,  Including  the  fact 
that  fp  is  total,  I.e.  doesn't  take  the  value  1 except  when  i Is  an  argument. 


When  fp  is  total,  and  sometimes  when  It  Isn’t,  It  Is  completely  characterized  by  the 
functional  equation.  Otherwise,  the  characterization  can  be  completed  by  a minimization  schema 
(McCarthy  1978  and  this  paper)  or  alternatively  by  a complete  recursive  function  as  first  defined 
in  (Cartwright  1978).  Moreover,  we  show  how  to  find  a representation  of  /p  by  a sentence  of  the 
form  (Vx)(ji  • /p(y)  • Mx))  where  A{x)  Is  a wff  of  Tp  not  involving  fp. 


Now  assume  that  Tp  contains  functions  sufficient  for  axiomatizing  basic  syntax,  e g.  Lisp  or 
elementary  number  theory,  and  let  5 be  a sentence  of  Tp  Involving  only  fp  and  the  basic  functions 
of  the  data  domain.  Then  (Cartwright  and  McCarthy  1979)  shows  how  to  construct  a sentence  S' 
Involving  only  the  basic  functions  of  the  data  domain  such  that  we  can  prove  in  first  order  logic 
that  5 ■ 5'.  Therefore,  the  fact  that  total  correctness  is  not  axiomatizable  In  first  order  logic  Is 
Just  a matter  of  the  Godelian  incompleteness  of  the  data  domain,  and  it  can  be  expected  that  all 
ordinary"  facts  about  programs  will  be  provable  Just  as  all  "ordinary"  facts  of  elemwtary  number 
theory  are  provable  in  spite  of  its  Incompleteness. 


This  paper  is  primarily  concerned  with  proving  such  "ordinary"  facts  about  recursive 
function  programs  with  a view  to  developing  practical  techniques  for  program  verification  using 
interactive  theorem  provers.  As  such  it  should  be  compared  with  other  ways  of  using  logic  In 
program  proving. 


Axiomatizing  programs  as  functions  compares  favorably  with  Floyd-Hoare  methods  In 
several  respects.  First  it  permits  stating  and  proving  facts  that  cannot  even  be  stated  In  Floyd- 
Hoare  formalisms  such  as  equivalence  of  programs  and  algebraic  relations  between  the  functions 
defined  by  programs,  it  has  the  advantage  compared  to  the  Scott-Strachey  formalisms  that  it  uses 
ordinary  first  order  logic  rather  than  a k^lc  of  continuous  functions.  This  permits  the  use  of  any 
mathematical  facts  that  can  be  expressed  in  first  order  logic,  including  those  that  are  most 
conveniently  expressed  in  set  theory.  This  is  especially  important  when  the  statement  of  program 
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correctness  or  its  Informal  proof  involve  other  mathematical  objects  than  those  that  occur  in  the 
program  data  domain. 

After  an  informal  introduction  to  recursive  programs,  subsequent  sections  of  this  paper 
dlscuu  the  use  of  conditional  expressions  and  first  order  lambdas  In  Hrst  order  logic,  adjoining  1 
to  the  data  domains  in  order  to  convert  partial  functions  and  predicates  into  total  functions, 
axioms  for  Lisp  and  the  Integers,  the  representation  of  recursive  programs  by  functions,  inductive 
methods  of  proof,  the  minimization  schema,  an  extended  example  of  a correctness  proof, 
representation  of  the  inductive  assertion  and  subgoal  induction  methods  as  axiom  schemata,  and  a 
convenient  way  of  representing  recursively  defined  functions  by  non-recursive  sentences. 

Our  methods  apply  directly  to  proving  only  exttnsienal  properties  of  programs,  e.g. 
properties  of  the  function  defined  by  the  program,  intensional  properties  such  as  the  number  of 
times  an  operation  like  recursion  or  cons  is  performed  are  often  extensional  properties  of  simply 
obtained  dtrivtd  programs.  Some  of  these  properties  are  also  extensional  properties  of  the 
functional  of  which  the  function  is  the  least  fixed  point. 

An  adequate  background  for  this  paper  is  contained  in  (Manna  1974)  and  more  concisely  In 
(Manna,  Ness  and  Vuillemin  1973).  The  connections  of  recursive  programs  with  second  order 
logic  are  given  in  (Cooper  1969)  and  (Park  1970).  Our  notation  differs  from  Manna's  in  order  to 
use  the  - sign  exactly  as  in  first  order  logic. 


2.  Recursive  Programs. 

We  consider  recursive  programs  like 
Factorial.  n!  if  n equal  0 then  I else  n . (n  - I)! 

which  is  the  well  known  recursive  program  for  the  factorial  function.  We  will  use  capitalized 
italic  names  for  programs  themselves  regarded  as  texts  and  the  corresponding  name  initialized 
with  lower  case  as  a name  for  the  function  computed  by  the  program,  except  that  as  in  the  case  of 
Factorial,  we  sometimes  use  an  Infix  or  other  conventional  notation  for  the  function.  Mutually 
recursive  sets  of  function  programs  will  also  be  considered. 

Another  example  is  the  Lisp  program  Append.  In  this  paper  we  will  use  the  Lisp  external 
or  publication  notation  of  (McCarthy  and  Talcott  1979),  and  we  will  write  u*v  for  append[u,v]. 
We  then  have 

Append-.  u*  V *-  if  n u then  o else  * u . [d  u * ol 

Here  we  are  using  n for  null,  a for  car,  d for  cdr  and  an  infixed  , for  cons.  We  omit  brackets  for 
functions  of  one  argument.  In  a more  traditional  Lisp  M-expression  notation  we  would  have 

appendlu,  v1  *-  if  nuf/[u]  then  e else  eoiis[car[u],  appendlcdrluj,  v]l, 

and  in  Maclisp  S-expression  notation,  this  would  be 
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(DEFUN  APPEND  (U  V) 

(COND  ((NULL  U)  V)  (T  (CONS  (CAR  U)  (APPEND  (CDR  U)  V))))). 

Our  objective  is  to  prove  facts  about  such  recursively  defined  functions  by  regarding;  the 
recursive  function  definitions  as  sentences  of  first  order  logic.  More  accurately,  we  represent  the 
recursive  function  definitions  by  very  similar  sentences  of  first  order  logic.  Factorial  and  Append 
are  translated  Into  the  sentences 

1)  (VnXiJelnt  n a n!  - if  n equal  0 then  I else  n x (n  - iX) 
and 

2)  (Vu  vHiselist  u A IselUt  vou*v»  if  nu  then  v else  a u . [d  u * v]) 

respectively.  The  form  of  conditional  expression  if  p then  a else  b used  in  these  sentences  is  Just 
a function  that  could  as  well  be  written  Ifip.a,  b)  so  far  as  the  logic  is  concerned. 

The  predicates  iselnt  and  Isellst  respectively  restrict  their  arguments  to  be  extended  integers 
(i.e.  the  integers  extended  by  i)  and  extended  lists.  When  these  domains  can  be  taken  for 
granted,  we  can  omit  the  explicit  restrictions  and  write 

3)  (VnXn!  • If  n equal  0 then  1 else  n x (n  - I)!) 
and 

4)  (Vu  vXu  * V m if  n u then  o else  a u . [d  u « u]) 

The  sentences  (I)  and  (2)  completely  characterize  the  functions  defined  by  the  programs 
Factorial  and  Append,  so  proofs  of  the  properties  of  these  functions  can  be  deduced  from  these 
sentences  together  with  axioms  characterizing  the  natural  number  and  Lisp  data  domains 
respectively.  For  example,  suppose  we  wish  to  prove  that  • satisfies  the  equations 

3)  (VoXNIL  * t>  - u) 

and 

6)  (VuXu  * NIL  - u), 

i.e.  NIL  is  both  a left  and  right  identity  for  the  * operation.  (5)  Is  trivially  obtained  by 
substituting  NIL  for  u in  (I)  and  using  the  rules  for  evaluating  conditional  expressions  which  will 
have  been  added  to  the  usual  rules  for  first  order  logic.  (6)  expresses  a more  typical  program 
property  in  that  its  proof  requires  a mathematical  induction. 

This  induction  is  accomplished  by  substituting 

7)  «(u)  > (u  * NIL  - u) 
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in  the  list  induction  schema 

8)  ♦(NIL)  A (VuXittisf  u a mu//  u a ♦(d  u) » ♦(«))  3 (VuXMist  u » ♦(u)), 

and  using  (2),  the  axioms  for  lists,  and  the  rules  of  Inference  of  first  order  logic  including  those 
for  conditional  expressions. 

Once  the  formalism  has  been  established,  totality  can  be  proved  in  the  same  way  as  other 
properties  of  the  programs.  Thus  the  totality  of  u*0  Is  proved  by  substituting 

9)  ♦(u)  ■ ijlls([u*vJ 

into  the  schema  (8)  and  using  (2),  etc.  as  described  above. 

The  translation  of  the  program  Into  a logical  sentences  would  be  trivial  to  Justify  If  we  were 
always  assured  that  the  program  terminates  for  all  sets  of  arguments  and  thus  defines  a total 
function.  The  innovation  is  that  the  translation  is  possible  even  without  that  guarantee  at  the 
cheap  price  of  extending  the  data  domain  by  an  undefined  element  i,  rewriting  recursively 
defined  predicate  programs  as  function  programs,  having  two  kinds  of  equality  and  conditional 
expression,  and  providing  each  predicate  with  two  forms  - one  a genuine  predicate  In  the  logic 
and  the  other  a function  imitating  the  partial  predicate  by  a function  that  takes  the  value  i when 
the  program  for  the  predicate  doesn't  terminate.  Proofs  of  termination  then  take  the  same  form  as 
other  inductive  proofs.  However,  additional  formalism  is  required  to  characterize  completely 
programs  that  don't  always  terminate.  • 

The  next  sections  introduce  the  logical  basis  of  the  formalism  and  axioms  and  axiom 
schemata  for  Lisp. 


9.  Two  Useful  Extensions  to  First  Order  Logic. 

We  begin  by  extending  first  order  logic  to  include  conditional  expressions  and  first  order 
lambda  expressions.  This  allows  us  to  parallel  the  structure  of  recursive  programs  within  logical 
sentences. 

We  cannot  add  arbitrary  programming  constructions  to  first  order  logic  without  risking  Its 
useful  properties  such  as  completeness  or  even  consistency.  Fortunately,  these  extensions  are 
harmless,  because  they  are  not  nterely  conservative;  they  can  even  be  eliminated  from  wffs,  and 
they  are  generally  useful.  In  fact,  they  are  useful  for  expressing  mathematical  Ideas  concisely  and 
understandably  quite  apart  from  applications  to  computer  Kience.  The  reader  is  assumed  to 
know  about  first  order  logic,  conditional  expressions  and  lambda  expressions;  we  explain  only 
their  connection. 

Remember  that  the  syntax  of  first  order  logic  is  given  In  the  form  of  Inductive  rules  for  the 
formation  of  terms  and  wffs.  The  rule  for  forming  terms  is  extended  as  follows: 
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If  1$  a wff  and  a and  6 are  terms,  then  IF  P THEN  a ELSE  6 Is  a term.  Sometimes  [ 

parentheses  must  be  added  to  Insure  unique  decomposition.  Note  that  this  makes  the  definitions 
of  term  and  wff  mutually  recursive. 

The  semantics  of  conditional  expression  terms  is  given  by  a rule  for  determining  their 
values.  Namely,  if  P is  true,  then  the  value  of  IF  P THEN  a ELSE  b is  the  value  of  a. 

Otherwise  it  is  the  value  of  b. 

It  is  also  necessary  to  add  rules  of  inference  to  the  logic  concerned  with  conditional 
expressions.  One  could  get  by  with  rules  permitting  the  elimination  of  conditional  expressions 
from  sentences  and  their  intrt^uction.  These  rules  are  important  anyway,  because  they  permit 
proof  of  the  metatheorem  that  the  main  properties  of  first  order  logic  are  unaffected  by  the 
addition  of  conditional  expressions.  These  include  completeness,  the  deduction  theorem,  and 
semi-decidability. 

In  order  to  state  these  rules  it  is  convenient  to  introduce  conditional  expressions  also  as  a 
ternary  logical  connective.  A more  fastidious  exposition  would  use  a different  notation  for  logical 
conditional  expressions,  but  we  will  use  them  so  little  that  we  might  as  well  use  the  san>e  notation, 
especially  since  It  Is  not  ambiguous.  Namely,  If  P,  Q,  and  R are  wffs,  then  lo  li  IF  P THEN  Q 
ELSE  R.  Its  semantics  is  given  by  considering  it  u a synonym  for  ((P  a 0 v (-\P  a R)). 

Elimination  of  conditional  expreuions  Is  made  possible  by  the  distributive  laws 

10)  f{IF  P THEN  « ELSE  b)  • IF  P THEN  fia)  ELSE  fib) 
and 

1 1)  ♦(/f  P THEN  a ELSE  b)  n IF  P THEN  ♦<«)  ELSE  •(» 

• A ♦(«))  V (-^P  A *(b)) 

where  / and  4 stand  for  arbitrary  function  and  predicate  symbols  respectively. 

Notice  that  this  addition  to  the  logic  has  nothing  to  do  with  partial  functions  or  the  element 

i. 


While  the  above  rules  are  sufficient  to  preserve  the  completeness  of  first  order  logic,  proofs 
are  often  greatly  shortened  by  using  the  additional  rules  introduced  In  (McCarthy  1963).  We 
mention  especially  an  extended  form  of  the  rule  for  repiKing  an  expression  by  another  expression 
proved  equal  to  It.  Suppose  we  want  to  replace  the  expression  e by  an  expression  c'  within  the 
conditional  expression  IF  P THEN  a ELSE  b.  To  replace  an  occurrence  of  c within  a,  we  need 
not  prove  c - c'  but  merely  P oc  •<'.  Likewise  if  we  want  to  replace  an  occurrence  of  e in  b,  we 
need  only  prove  nP  o c • c'.  This  principle  Is  further  extended  In  the  afore-mentioned  paper. 

A further  useful  and  eliminable  extension  to  the  logic  Is  to  allow  "first  order"  lambda 
expressions  as  function  and  predicate  expressions.  Thus  If  x Is  an  individual  variable,  « is  a 
term,  and  P It  » wff,  then  (Xx)*  and  {Xx)P  may  be  used  wherever  a function  symbol  or  predicate 
symbol  respectively  are  allowed.  Formally,  this  requires  that  the  syntactic  categories  of  ^function 
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$ymbol>  and  <predicate  tymbol>  be  generalized  to  <function  expresslon>  and  <predicate 
expre$$ion>  respectively  and  that  these  categories  are  then  defined  mutually  recursively  with  terms 
and  wffs. 

The  only  inference  rule  required  is  lambda  conversion  which  serves  to  eliminate  or 
introduce  lambda  expressions.  According  to  this  rule,  a wff  is  equivalent  to  a wff  obtained  from 
it  by  replacing  a sub-wff  or  sub-term  by  one  obtained  from  it  by  lambda  conversion.  The  rules 
for  lambda  conversion  must  Include  alphabetic  changes  of  bound  variables  when  needed  to  avoid 
capture  of  the  free  variables  in  arguments  of  lambda  expressions. 

The  use  of  minimization  schemata  and  schemata  of  induction  Is  facilitated  by  first  order 
lambda  expressions,  since  the  substitution  just  replaces  occurrences  of  the  function  variable  in  the 
schema  by  a lambda  expression  which  can  subsequently  be  expanded  by  lambda  conversion. 
Using  lambda  expressions  somewhat  simplifies  the  rule  for  substitution  in  Khemata.  First  order 
lambda  expressions  also  permit  many  sentences  to  be  expressed  more  compactly  and  may  be  used 

to  avoid  duplicate  computations  in  recursive  programs.  Thus  we  can  write  [(AxXx^  * x)X<i  * t>) 

instead  of  (a  * -i-  (a  4 b).  Since  all  occurrences  of  first  order  lambda  expressions  can  be 

eliminated  from  wffs  by  lambda  conversion,  the  metatheorems  of  first  order  logic  are  again 
preserved.  The  reason  we  don't  get  the  full  lambda  calculus  is  that  the  syntactic  rules  of  first 
order  logic  prevent  a variable  from  being  used  in  both  term  and  function  positions.  While  we 
have  illustrated  the  use  of  lambda  expressions  with  single  variable  X's,  expressions  like  (Xx  y z)« 
are  aliO  useful  and  give  no  trouble.  It  is  also  easily  seen  that  lambda  conversion  within  a term 
preserves  its  value,  and  lambda  conversion  within  a wff  preserves  its  truth  value. 

Actually  it  seems  that  even  higher  order  X’s  won't  get  us  out  of  first  order  logic  provided 
rules  of  typing  are  obeyed  and  we  provide  no  way  of  quantifying  over  function  variables.  Any 
occurrences  of  higher  order  lambda  expressions  in  wffs  are  eliminable  just  by  carrying  out  the 
Indicated  lantbda  conversions.  For  example,  we  could  define 

transitiv*  - (X/iX(VX  K Z)(R{X,Y)  a R(Y,  Z)  o R(X,  Z))), 
and  any  use  of  transUivt  in  a wff  would  be  eliminable  using  its  definition  and  lambda  conversion. 


4.  Partial  Functions  and  Partial  Predicates. 

The  main  difficulty  to  be  overcome  in  representing  recursive  programs  by  logical  sentences 
is  that  the  computation  nf  an  arbitrrry  recursive  program  cannot  be  guaranteed  to  terminate. 
Consider  the  recursive  program 

Runaway.  /[n)*-J{n)*\ 

over  the  integers.  If  we  translate  Runaway  into  the  sentence 
12)  (Vn)V(n)-/(n)4l) 
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and  use  the  axioms  of  arithmetic,  we  get  a contradiction. 

The  way  out  is  to  adjoin  to  our  data  domains  an  additional  element  1 (read  "bottom"), 
which  is  taken  to  be  the  value  of  the  function  when  the  computation  doesn't  terminate.  In 
addition  we  add  the  axiom 

1 3)  {'<tnXlsinlM  V n - i), 

and  modify  the  axioms  for  arithmetic  to  refer  to  elemenu  satisfying  isini.  Then  going  from 
Runaway  to  (12)  doesn’t  lead  to  a contradiction  but  to  the  desired  result  that 

14)  (Vn)(An)  - 1), 
provided  we  also  postulate  that 

15)  (VnXn  + 1 - 1 + n - J.), 

which  is  reasonable  given  the  interpretation  of  1 as  the  value  of  a computation  that  doesn't 
terminate.  We  will  postulate  that  all  of  the  base  functions,  except  the  conditional  expression,  have 
i as  value  if  any  argument  is  i.  Such  functions  are  called  strict.  Manna  (1974)  calls  them 
natural  extensions  of  the  functions  defined  on  the  domain  without  1. 

We  have  discussed  treating  partial  functions  by  introducing  i.  A function  takes  the  value 
i when  the  program  that  computes  it  doesn’t  terminate,  and  It  is  sometimes  convenient  to  give  a 
function  the  value  1 in  some  other  cases  when  we  want  it  to  be  undefined. 

It  is  convenient  to  introduce  a rather  trivial  partial  ordering  relation  on  our  data  domain 
once  it  has  been  extended  by  adjoining  1.  Namely,  we  define  the  relation  X = K by 

16)  {>/X  YXX  mX  • 1/\Y  * i). 

(Readers  of  (Manna  1974)  should  note  that  the  symbol  m is  being  used  In  its  common  logical  sense 
of  "if  and  only  If").  We  also  make  corresponding  definitions  of  =,  b,  and  a.  The  ordering  can  be 
extended  to  functions  by  defining 

17)  /Bg-(VX)(/(X)Eg(X)). 

This  induced  ordering  is  not  so  trivial,  but  we  don't  use  It  in  this  paper,  since  it  gets  us  out  of 
first  order  logic.  Even  though  (16)  defines  a rather  trivial  ordering,  we  find  that  It  shortens  and 
clarifies  many  formulas. 

Partial  predicates  give  rise  to  new  problems.  The  computation  of  a recursively  defined 
predicate  may  not  terminate,  so  the  sanre  problem  arises.  However,  we  can’t  solve  it  In  the  same 
way  without  adding  an  additional  undefined  truth  value  to  the  logic.  This  would  give  rise  to  a 
partial  first  order  logic  in  which  sentences  could  be  true,  false  or  undefined.  Various  partial 
predicate  calculi  have  been  studied  in  (McCarthy  1964),  (Bochvar  1938  and  1943)  and  elsewhere. 
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but  they  have  the  serious  disadvantage  that  arguments  by  cases  become  quite  long,  since  three 
cases  always  have  to  be  provided  for,  even  when  most  of  the  predicates  are  known  to  be  total. 
Moreover,  existing  logic  texts,  proof -checkers  and  theorem  provers  all  use  total  logic.  Therefore, 
it  seems  better  to  keep  the  logic  conventional  and  handle  partial  predicates  as  functions. 

We  introduce  a domain  11  with  three  elements  T,  F and  i called  the  domain  of  extended 
truth  values.  In  a sorted  logic,  this  may  be  a separate  sort.  Otherwise,  it  may  be  considered  either 
separately  or  as  part  of  the  main  data  domain.  In  Lisp  it  is  convenient  to  regard  T and  F as 
special  atoms  and  to  use  the  same  1 for  extended  truth  values  as  for  extended  S-expressions.  It  is 
even  possible  to  follow  the  Lisp  implementations  that  use  NIL  for  F and  interpret  all  other  S- 
expressions  as  T,  although  we  don’t  do  that  in  this  paper. 

It  is  convenient  to  define  first  a form  of  conditional  expression  that  takes  an  extended  truth 
value  as  its  first  argument,  namely 

If  p then  a else  b - IF  p • 1 THEN  i ELSE  IF  p^T  THEN  a ELSE  b. 

The  only  difference  between  then  extended  conditional  expression  and  the  logical  conditional 
expression  is  that  since  the  extended  conditional  expression  takes  an  extended  truth  value  as 
propositional  argument,  we  can  provide  for  the  possibility  that  the  computation  of  that  argument 
fails  to  terminate.  Since  the  extended  conditional  expression  treats  the  undefined  cases  according 
to  their  behavior  in  programs,  we  use  the  same  notation  as  previously  used  for  programs. 

Extended  boolean  operators  are  conveniently  defined  using  the  extended  conditional 
expressions.  For  every  predicate  or  boolean  operator,  we  introduce  a corresponding  function 
taking  extended  truth  values  as  operands  and  taking  an  extended  truth  value  as  its  value.  Thus 
the  function  and,  is  written  with  an  infix  and  defined  by 

p and  q “ if  p then  q else  F 

The  function  and  is  distinct  from  the  logical  operator  a which  remains  in  the  logic.  To  illustrate 
this,  we  have  the  true  sentence 

((p  and  ^)  ■ T)  ■ ■ T)  A (^  ■ T). 

The  parentheses  In  the  above  can  be  omitted  without  ambiguity  given  suitable  precedence  rules. 
Note  that  and  has  the  non-commutative  property  of  (McCarthy  1963),  namely  F and  i - f while 
± and  F - i.  This  corresponds  to  the  fact  that  it  is  convenient  to  compute  p and  ^ by  a program 
that  doesn't  look  at  f if  ^ is  false  but  which  doesn't  terminate  If  the  computation  of  p doesn't 
terminate.  Symmetry  couW  be  restored  If  the  computer  time-shared  Its  computations  of  p and  q, 
but  there  are  too  many  practical  disadvantages  to  such  a system  to  justify  doing  It  for  this  sake  of 
mathematical  symmetry.  Algol  60  requires  that  both  p and  q be  computed  which  precludes  using 
boolean  opeators  as  the  main  connectives  of  Lisp  type  recursive  definitions  of  predicates. 

Other  extended  boolean  operators  are  defined  by 


p or  q m it  p then  T else  q 


and 


not  p m if  p (lien  F else  T. 

We  also  require  an  equality  function  that  extends  logical  equality,  namely 
X tqual  Y • IF  X - IvY  - i.  THEN  i ELSE  X - K THEN  T ELSE  F. 
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Readers  familiar  with  (Manna  1974)  should  note  that  we  write  - where  Manna  writes  ■, 
and  we  write  equal  where  Manna  writes  We  have  chosen  our  notation  to  conform  to  that  of 
first  order  logic  with  equality. 

In  fact,  the  key  to  successful  representation  of  recursive  programs  in  first  order  logic  is  the 
simultaneous  use  of  true  equality  in  the  logic  in  order  to  make  assertions  freely  and  the  equal 
function  that  gives  an  undefined  result  for  undefined  arguments.  The  latter  describes  the 
behavior  of  an  equality  test  within  the  program.  The  two  forms  of  conditional  expression  are 
also  essential. 

The  partial  ordering  c is  also  useful  applied  to  extended  truth  values. 

We  summariie  this  in  the  following  set  of  axioms; 

T I:  (YpXistv  p m p m T v p •>  F) 

T2:  (XpXHetv  p ■ islv  p v p m i) 

T3;  T # F A tiJto  i 
T4.  (V/>  X YXisetv  p » 

If  p then  X else  Y • IF  p • L THEN  i ELSE  IF  p-T  THEN  X ELSE  Y) 

T6:  (ypXlsetv  p o not  p • if  p (hen  F else  T) 

T6;  (Vp  qXtsetv  p a isetv  q^  p and  q • if  p then  q else  F) 

T7:  (Vp  qXisetv  p a isetv  qz>  p or  q * if  p then  T else  q) 

T8:  (VX  KXX  equal  Y - IF  X • ls>Y  • I THEN  1 ELSE  IF  X •Y  THEN  T ELSE  F 
T9:  {XpXisetv  p A isetv  f3(pefBp-lA(f-T  v q • F))). 
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5.  The  Functional  Equation  of  a Recursive  Program  • Theory. 

The  familiar  recursive  program 

18)  u « t) «-  if  n u then  v else  a u . [d  u * u] 

is  a special  case  of  a system  of  mutually  recursive  programs  which  can  be  written 

19)  /,(x, Xm,)‘-’’lVl /n-*l *m,) 


/n<*l 

Here  the  t’s  are  terms  in  the  individual  variables  jfj,  etc.  and  the  function  symbols/),  ■ fn- 

All  the  essential  features  of  such  mutual  recursive  definitions  arise  when  there  is  only  one 
function,  but  phenomena  arise  when  there  are  two  or  more  arguments  to  the  functions  that  do  not 
arise  in  the  one  argument  case  - two  arguments  being  sufficiently  general.  Therefore,  we  write 

20)  fir.y)  *-r{f,x,y), 
which  may  also  be  written 

21)  f{x,y)  *■  T[fHx,y) 

when  we  wish  to  emphasize  that  T maps  a partial  function  /into  another  partial  function  T[/l. 

In  this  paper,  we  shall  mainly  consider  recursive  programs  over  S-expresslons,  lists  and 
integers,  but  we  can  actually  start  with  an  arbitrary  collwtion  of  base  functions  and  predicates 
over  a collection  of  domains  and  define  the  functions  conputablt  in  terms  of  tko  base  functions. 
This  is  discussed  in  (McCarthy  1963).  In  a discussion  of  the  basic  ideas,  full  generality  is 
superfluous,  and  all  the  interesting  phenomena  arise  with  a single  domain  - call  It  D,  extended  to 

D*  by  adjoining  i and  with  characteristic  predicate  isD. 

Such  a program  or  system  of  mutually  recursive  programs  can  be  regarded  as  defining  a 
partial  function  in  several  ways. 

1.  It  can  be  compiled  Into  a machine  language  program  for  some  computer  using  call-by-value^ 
The  resulting  program  is  a subroutine  that  calls  Itself  recursively.  Before  It  is  called,  the  values  of 
the  arguments  must  be  computed  and  stored  in  suitable  conventional  registers.  This  Includes  Its 
calls  to  Itself.  Most  Lisp  Implementations  as  well  as  most  Implementations  of  other  programming 
languages  use  call-by-value. 

2.  It  can  be  compiled  into  a machine  language  program  for  some  computer  using  call-by-name. 
The  resulting  program  again  calls  Itself  recursively.  It  is  called  by  storing  into  suitable  registers 
the  location  of  programs  for  computing  the  expressions  that  have  been  written  as  Its  arguments. 


Thus  ((w. *)*/(«))  would  be  compiled  Into  program  that  would  glvr  the  program  for  u*v  pointers 
to  program  for  computing  w.x  and  /(u).  The  program  for  * could  call  these  other  programs 
whenever  It  wanted  its  arguments.  In  the  case  of  u*ii,  there  Is  nothing  the  program  can 
profitably  do  except  call  for  both  of  Its  arguments.  However,  a program  for  multiplying  two 
matrices  might  call  its  first  argument,  and.  if  the  first  argument  turned  out  to  be  the  lero  matrix, 
not  bother  to  call  the  second  argument. 

We  can  also  consider  evaluating  the  function  by  symbolic  computation.  Namely,  we 
substitute  the  arguments  of  the  function  * for  u and  v,  and  then  evaluate  the  right  hand  side  of 
the  definition.  There  are  many  ways  to  do  this  evaluation,  because  there  may  be  more  than  one 
(Kcurrence  of  the  function  being  defined  on  the  right  hand  side  of  the  definition,  but  two  of  them 
correspond  to  call-by-name  and  call-by-value  respectively. 

3.  When  evaluating  a conditional  expression,  always  evaluate  the  propositional  term  first  and  use 
It  to  decide  which  of  the  other  terms  to  evaluate  first.  When  evaluating  a term  formed  by 
composition  of  functions.  If  there  Is  only  one  occurrence  of  the  function  being  defined  on  the  right 
hand  side,  there  is  no  choice  to  be  made,  but  if  there  is  more  than  one,  expand  the  leftmost 
innermost  first.  If  it  gives  an  answer  substitute  it  and  continue  the  process.  If  It  gives  further 
recursion,  then  proceed  with  its  leftmost  Innermost,  etc.  This  corresponds  to  call-by  value. 

4.  If  instead  of  expanding  the  leftmost  innermost  occurrence  of  the  function  first,  we  expand  the 
outermost  occurrences,  we  get  an  evaluation  method  corresponding  to  call-by-nanse. 

It  should  also  be  proved  that  evaluation  by  substitution  and  evaluation  by  subroutine  both 
using  call-by-value  give  the  same  results.  The  two  ways  of  doing  call-by-name  should  also  be 
proved  to  give  the  same  results.  Such  a proof  would  involve  reasoning  about  the  operation  of 
subroutine  calls  and  the  saving  of  temporary  storage  registers  on  the  stack.  We  are  not  aware  of  a 
published  proof  of  these  statements  or  even  a precise  statement  of  them. 

Computing  K*t;  doesn’t  show  the  difference  between  these  methods,  hut  consider  the 
function 

22)  morrisfx.y)  If  r equal  0 then  Oelse  morrls{x  - I,  morrisix,  y)) 

introduced  in  (Morris  1968).  Evaluating  morr»s(2,  i)  by  either  call-by-value  method  leads  to  an 
infinite  computation,  because  the  term  mcrris(x,  y)  has  to  be  evaluated  all  over.  Call-by-name 
evaluation,  on  the  other  hand,  gives  the  answer  0,  because  the  second  argument  of  morris  is  never 
called.  Vuillemin  (1973)  shows  that  whenever  call-by-value  gives  an  answer,  call-by-name  gives 
the  same  answer,  but  sometimes  call-by-name  gives  an  answer  when  call-by-value  doesn't.  If  we 
force  a program  to  be  sirict.  I.e.  to  demand  that  all  of  Its  argutnents  are  defined,  then  call-by- 
name  and  call-by-value  are  equi-terminating  - to  coin  a word. 

(Manna  1974)  also  contains  proofs  of  these  assertions. 

Execution  of  recursive  programs  by  substitution  is  Inefficient,  but  provides  a good 
theoretical  tool  for  classifying  the  more  efficient  subroutine  methods  of  evaluation. 
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5.  Finally,  we  can  regard  (18)  and  (22)  as  functional  equations  for  * and  morris  respectively.  In 
general,  a functional  equation  may  have  many  solutions  or  none.  However,  it  is  essentially 
Klecne's  (1952)  first  recursion  theorem,  (see  Manna  1974,  theorem  5-2)  that  If  the  right  side  is 
continuous  in  the  function  being  defined  and  in  the  individual  variables,  there  will  be  a unique 
minimai  solution.  This  condition  is  assured  if  the  right  hand  side  Is  a term  built  from  strict 
functions  and  predicates  by  composition  and  the  formation  of  extended  conditional  expressions. 
Continuity  is  discussed  in  (Manna  1974).  It  is  not  permitted  to  use  logical  conditional  expressions 
without  satisfying  additional  hypotheses,  and  this  restriction  prevents  true  equality  or  any 
predicate  from  direct  use.  if  logical  conditional  expressions  were  generally  allowed,  we  could  have 
sentences  like 

23)  (Vx)(/(x)  - IF  J[x)  - i THEN  T ELSE  i) 

which  are  self-contradictory.  The  corresponding  version  using  extended  conditional  expressions, 
namely 

24)  (Vx)(^x)  - If /(x)  equal  i then  T else  i) 

is  satisfied  by  /(x)  - i and  Is  therefore  harmless.  Logical  conditional  expressions  can  be  used 
when  we  can  guarantee  that  the  propositional  part  is  total  and  In  some  other  cases. 

The  minimal  solution  is  minimal  in  the  sense  that  any  other  solution  is  greater  In  the 
ordering  of  functions  previously  given,  i.e.  if  / is  the  minimal  solution  and  4 I*  another  solution, 
then 

25)  (Vxy)(/(x,y)  E 4(x,y)). 

The  nsinimal  solution  of  the  functional  equation  can  therefore  be  characterized  by  the 
schema 

26)  (Vx  yX4(x. y)  - T (♦Xx,  y))  a (Vx  y)(/(x, y)  e 4(x. y)). 
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integers  as  similarly  as  possible.  Therefore,  the  axioms  are  highly  redundant.  Adjoining  1 to  the 
domains  has  both  conveniences  and  inconveniences.  The  main  convenience  is  that  the  recursive 
definitions  now  give  total  functions.  A major  Inconvenience  Is  that  algebraic  relations  often 
require  qualification,  e.g.  0 x x > 0 isn’t  true  if  x > i. 

Our  first  axiom  gives  the  algebraic  relations  of  cons,  car  and  cdr. 

S I:  (Vx  yKlssexp  x a Isscxp  y o ispairix.y]  a alx.yj  • x a dlx.ji)  - y) 

The  definition  of  atoms  and  pairs: 

S2:  (ixXUjpair  x ■ Issexp  x a natom  x)  a {atom  x a Isstxp  x)) 

Taking  apart  an  S-expression  and  putting  the  parts  back  together  gives  back  the  original 
expression. 

S3:  (VxXispair  x a issexp  a x a issexp  dxAX-ax.dx) 

Lists  are  included  among  S-expressions. 

S4:  (VaXisUst  u 3 issexp  u) 

consing  an  S-expreuion  onto  a list  gives  a list. 

S5;  (Vx  uXissexp  x a islist  u o ij/ti([x.u]) 

NIL  is  the  only  atomic  list  and  only  NIL  satisfies  the  predicate  null. 

S6;  (yuXdslist  u A atom  u ■ u - NIL)  a (null  u ■ u ■ NIL)) 

The  simple  structural  induction  schema  for  S-expressions; 

S7;  (VxXo/om  X 3 • x)  A (VxXispair  XA^tXA*dx3fx)3  (VxXissexp  x 3 ♦ x) 

The  simple  structural  Induction  Khema  for  lists: 

S8:  ♦ NIL  A (VuXlslisl  u A inu/i  UA*dH3#tt)3  {VuXlsllst  u 3 ^ u) 

X S5  means  that  x is  a subexpression  of  y and  is  a well-founded  partial  ordering.  It  is 
important  for  course-of-values  induction  for  S-expreuions. 

S9;  (Vx  yXlssexp  x a Issexp  yoxi^ymx^yv  natotn  a (x  S5  a ji  v x S5  d ji)) 

Definition  of  proper  subexpreuion: 

S 10;  (Vx  jX*  <5  J • X S5  J A X ^ y) 


The  cour$e-of-value$  structural  induction  Khema  for  S-expresslons: 

S 1 1:  (ixXtssexp  X A C^yXissexp  yAy<gxoty)3*x)D  (SxXiSitxp  *r  a ♦ at) 

u t>  is  the  natural  well-founded  partial  ordering  for  lisu.  It  can  be  read  "The  list  u Is  a 
tall  of  the  list  o*. 

SI2:  (V«  vXislist  u A islist  ^nu//  a a u d v) 

u is  a proper  tail  of  v. 

S 1 3:  (Vu  wXu  <i^V  m U hU  * v) 

The  tourse-of-values  induction  schema  for  lists.  Course-of-vahies  Induction  Khemata  are 
all  the  same  except  for  the  ordering  used. 

S 14;  (VuXfs/fif  u A {ivXlslisI  i>At»<^u3*»)3*u)3  (VuXiJ/lif  tt  3 • u) 

These  axioms  for  integers  are  based  on  the  successor  and  predecessor  functions  and  are 
analogous  to  the  above  axioms  for  S-expresslons.  They  are  equivalent  to  the  usual  first  order 
number  theory. 

The  relation  between  the  successor  and  predecessor  functions: 

1 1;  (VnXfsint  n a isint  succ  n a succ  n ^ 0 a prtH  stuc  n ■ n) 

As  a function  In  the  logic,  the  predecessor  must  always  have  a value.  However  we  say 
something  about  prtd  n only  for  non-sero  n. 

12:  (VnXiifnf  n A n V 0 3 Islnt  prtd  n a succ  prtd  n - n) 

The  simple  induction  schema  for  integers: 

13:  (♦  0 A (VnXisint  n a n v 0 a ♦ prtd  n 3 ♦ n)  3 (V  nXisint  n 3 ♦ «) 

For  course-of-values  induction,  we  need  the  ordering  relations. 

14:  (Vm  nXfifnt  m a isint  n3(iiisnaiii-«va  v Oaixs  prtd  n)) 

Proper  ordering: 

15;  (Vm  nX*n  <n«m4nAmv  n) 

The  course-of-values  schema; 

16:  (VnXisint  n a (imXlsint  mAm<n3#m)3*n)3  (VnXfsfn/  » 3 ♦ n) 


The  recursive  definition  of  addition: 

17:  (V«  nXiJinf  n a islnt  n3«  + n./Fn-0  THEN  m ELSE  suec  m * prtd  n) 

Multiplication: 

18:  (Vm  nXisint  m /\  hint  «3i»ixn-/Fn-0  THEN  0 ELSE  m*mx  prtd  n) 

The  next  group  of  axioms  are  concerned  with  extending  the  domain  by  adjoining  i.  The 
predicates  of  the  extended  domains  are  iststxp,  isilUt  and  (stint  respectively. 

Extending  the  S-expressions  with  1: 

El:  (VxX(stJtxp  X m Isstxf  * v * ■ i) 

Extending  the  lists  with  i: 

E2:  {SuXlsHlst  u ■ IsUst  u v u > 1) 

Extending  the  integers  with  i; 

E3:  (VnXistint  n ■ (sint  n v n ■ 1) 

We  need  a function  taking  the  value  T when  iu  argument  is  an  S-expresslon.  It  will  be 
used  in  extended  conditional  expressions. 

E4:  (VxXisstxp/x  - fF  x - 1 THEN  1 ELSE  IF  Itstxp  x THEN  T ELSE  F) 

Likewise  for  lists: 

E5:  (^uXisllsIf  u~  IF  un  I THEN  i ELSE  IF  tsllsl  x THEN  T ELSE  F) 

Likewise  for  integers: 

E6:  (VnXlslnt/ n - /F  n - i THEN  i ELSE  IF  Islnl  xTHEN  T ELSE  F) 

Extending  the  integer  functions  to  take  i as  an  argument.  The  extension  it  strict,  l.e.  the 
extended  values  are  all  i. 

E7:  suec  1 - 1 a prtd  1 ■ 1 

Extending  the  Lisp  functions  ttrlctly  to  take  1 as  an  argument: 

E8;al*iAdl»l 

The  strict  extension  of  cons.  (Friedman  and  Wise  (1977)  propose  a non-strkt  extension). 
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E9:  (VxXjc.I  - i a i.x  • i) 

The  functions  at  and  n are  defined  from  the  predicates  atom  and  nuff. 
ElO:  (VxXaf  x - /F  x - i THEN  i ELSE  IF  atom  x THEN  T ELSE  F) 

E 1 1:  (VuXn  w - /F  u - i THEN  i ELSE  IF  null  u THEN  T ELSE  F) 


7.  Forms  of  Induction. 

All  proofs  of  non-trlvlal  program  properties  require  some  form  of  mathematical  induction. 
Methods  of  induction  can  be  divided  into  three  classes  - induction  on  data,  various  forms  of 
computation  induction  on  approximations  to  the  program,  and  induction  on  the  course  of  the 
computation.  It  is  not  certain  that  that  these  are  really  distinct;  i.e.  there  may  be  systematic  ways 
of  regarding  one  as  a form  of  another.  In  this  section,  we  deal  only  with  induction  on  data. 

Induction  on  data  often  takes  a form  called  structural  Induction  in  which  the  data  domain 
consists  of  objects  built  up  from  elementary  objects  by  a fixed  finite  set  of  operations.  The 
construction  of  S-expre$sions  from  atoms  by  cons  or  the  construction  of  the  integers  from  zero  by 
the  successor  operation  are  examples. 

Induction  can  take  two  forms.  One  form  involves  the  constructors  or  selectors  of  the 
domain  directly.  Simple  list,  S-expression,  and  numerical  Induction  are  examples.  The  second 
form  is  a course-of-values  induction  schema 

27)  (VxXliD  X A (VyXijP  y/^y<xo4y)3ix)o  (VxXiiD  x o ♦ x) 

based  on  an  ordering  relation  < defined  in  terms  of  the  selector  functions.  Course-of-values 
schemata  were  also  given  for  lists,  $-expression  and  natural  numbers.  Course-of-values  often 
gives  a proof  with  a simpler  induction  predicate  than  simple  induction. 

A simple  example  is  the  termination  of  the  list  function  alt  defined  by 

28)  o/r  u •-  if  n u or  n d u (hen  u else  a u . alt  M u. 

Because  of  the  dd,  simple  Induction  doesn't  work  on  the  obvious  predicate 

29)  ^(u)  ■ Isllst  alt  u, 

but  course-of-values  induction  does  work. 

In  the  simple  cases  we  have  seen  so  far,  the  induction  is  on  one  of  the  variables  in  the 
program,  but  this  is  no(  the  general  case.  More  generally,  the  induction  is  on  some  function  of  the 


17 


variables,  and  the  domain  of  this  function  may  be  quite  different  from  that  of  the  variables  of 
the  progam.  Often  It  can  be  taken  to  be  the  natural  numbers,  but  more  generally  It  can  be  any 
partially  ordered  domain  in  which  all  deKending  chains  are  finite. 

For  example  S-expression  can  be  replaced  by  induction  on  natural  numbers  by  introducing 
the  function  sitt  x defined  by 

30)  silt  X «-  if  af  X then  I else  silt  a x 4 sitt  d x 

Size  has  the  property  that  silt  a x < slit  x and  silt  d x < slit  x.  We  can  prove  that  a formula 
4(x)  holds  for  all  S-expressions  by  ’induction  on  the  site  of  x".  This  is  done  by  proving  that  the 
formula  ♦’  given  by 

31)  ♦ '(n)  ■ (VxXsftr  X - n 3 ♦(x)) 

holds  for  all  numbers  using  numerical  induction.  In  fact  any  proof  of  the  formula  # by  S- 
expression  induction  can  easily  be  converted  to  a proof  of  4*  by  numerical  induction  and  vice 
versa. 

A more  exotic  example  of  this  is  provided  by  the  Takeuchl  function  (Takeuchi  1978) 
defined  by 

32)  tak{m,n,p)*- 

if  m Itsstq  n then  n else  tak{tak(m-l,n,  p),tak{n-\,  p,m),tak{p-\,m,n)). 

The  function  Is  total  when  the  arguments  are  integers  and  Is  equal  to 

33)  frtfcCXm I , m2,  w3)  - /F  m I s m2  THEN  m2  ELSE  IF  m2  S m3  THEN  m3  ELSE  ml. 

The  most  convenient  proof  that  tak  is  total  uses  the  course-of-values  Khema  for  integers  with 
3d)  4(n)  ■ (Yml  m2  m3Xrdnk(ml,m2,m3)  -no  (ak(mi, m2, m3)  - (afcCXml,  m2,  m3)), 

where 

35)  rank(m  I , m2,  m3)  - dlak  l(m  l-m2,  m5-m2), 
and 

36)  dfaki(nl,n2)-  IF  nl  sOTHEN  0 

ELSE  IF  n2k  2 THEN  m ♦ n(n  - l)/2  - I 
ELSE  IFmO  THEN  m 
ELSE  /F  n - -I  THEN  (m  + iXm  ♦ 2)/2  - I 
ELSE  (m  - nXm  - n ♦ l)/2  - m - I. 
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This  is  an  example  of  the  more  general  form  of  inductive  proof.  A rank  function  -s  defined 
taking  values  in  some  inductively  ordered  domain  (in  this  case  the  natural  numbers),  and  the 
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theorem  Is  proved  under  the  hypothesis  that  It  Is  true  for  all  lower  rank  tuples  of  variables.  The 
term  structural  induction  seems  no  longer  applicable  to  this  general  case,  because  It  Is  not  an 
induction  on  the  structure  of  the  data  domain  of  the  program,  although  It  requires  no  new 
machinery  when  we  are  operating  within  first  order  logic.  Perhaps  structural  induction  was  a 
misnomer  anyway,  since  the  more  general  form  corresponds  to  how  mathematicians  already  looked 
at  induction. 

The  inductively  ordered  set  serving  as  the  domain  of  the  rank  function  is  chosen  for 
convenience,  where  the  object  is  to  get  a short  and  understandable  proof.  If  we  only  care  about 
whether  a proof  exists  and  not  how  easy  it  is  to  write  and  read,  then  all  the  domains  considered 
so  far  are  equivalent  to  the  natural  numbers.  To  get  something  stronger,  we  go  to  induction  over 
transfinite  ordinal  numbers  - explained  in  most  books  on  axiomatic  set  theory. 

The  axiom  schema  for  induction  over  ordinals  is  Just  the  usual  course-of- values  schema 
written  with  the  ordering  over  the  ordinals,  say  In  order  to  use  it,  this  ordering  must  be 

defined,  and  we  must  be  able  to  write  a rank  function  from  tuplets  to  ordinals.  This  requires  that 
we  use  a notation  fo*-  ordinals,  and  any  given  notation  represents  only  the  ordinals  less  than  some 

bound.  Most  proofs  arising  in  practice  will  involve  only  ordinals  less  than  which  can  be 
represented  as  polynomials  in  u. 

An  example  requiring  induction  up  to  is  proving  the  termination  of  Ackermann's 
function  which  has  the  functional  equation 

37)  (Vm  nX>4(in,  n)  > 

if  m equal  0 then  114- 1 else  if  n equal  0 then  ^(m- 1 , 0)  else  Aim-  i , Aim,  n- 1))). 
The  statement  to  be  proved  is 

38)  (VaX«  < w2  3 ♦(«)). 
where 

39)  (V«X*(a)  • (Vw  nXrankim,  n)  - a o hint  Aim,  n))), 
and 

^0)  (Vm  n)irankim,  n)  ■ Wm  ♦ n). 

The  proof  is  straightforward,  because  Ui(m-I)  < bim'fn  and  wm4(n-l)  < Wm4n,  so  we  can  assunw 
hint  Aim-\,0)  and  hint  /f(w,n-l).  From  the  latter,  it  follwi  that  w(in-l)4,4(m, n-l)  < Wm+n 
which  completes  the  induction  step. 


i 


19 


r 

N 

• t 
[- 

\ 

f 


\ 


I 

i 


8.  An  Extended  Example. 

The  SAMEFRiNCE  problem  Is  to  write  a program  that  efficiently  determines  whether  two 
S-expressions  have  the  same  fringe,  i.e.  have  the  same  atoms  in  the  same  order.  (Some  people 
omit  the  NILS  at  the  ends  of  lists,  but  we  will  take  all  atoms).  Thus  ((A.B).C)  and  (A.(B.C))  have 
the  same  fringe,  namely  (A  B C).  The  object  of  the  original  problem  was  to  program  it  using  a 
minimum  of  storage,  and  it  was  conjectured  that  co-routines  were  neceuary  to  do  it  neatly.  We 
shall  not  discuss  that  matter  here  - merely  the  extensional  correctneu  of  one  proposed  solution. 

The  relevant  recursive  definitions  are 

41)  frlngt  X <-  If  at  X then  <x>  else  fringi  ax*  frlngt  d x, 

We  are  interested  in  the  condition  fringi  x - fringi  y. 

The  function  to  be  proved  correct  is  samifringilx.y'l  defined  by  the  simultaneous  recursion 

42)  samifringilx,  y)  *-  (x  n/ual  y)  or  [not  at  x and  not  at  y and  samilgep/iir  x,  gophir  y]], 

43)  rain<[x,  y]  *•  (a  x Kfual  a y)  and  samifringild  x,  d yl 
where 

44)  gophir  X if  at  a X then  x else  gophir  aa  x . [da  x . d x]. 

We  need  to  prove  that  samtfringi  is  total  and 

45)  (VxyXsamifringilx.y]  - T ■ fringi  x • fringi  y). 

The  functional  equations  are 

46)  C^xXfTingi  X - if  at  X then  <x>  else /ring#  ax*  fringi  d x), 

47)  (Vu  oXu  * 0 - if  n u then  v else  a u . [d  u * o]). 

48)  (Vx  yXsamifringilx,  y)  - 

X iqual  y or  [not  aat  x and  not  aat  y and  lam^gephir  x,  gophir  y]]), 

49)  (Vx  yXsamilx,  y]  - a x iquat  a y and  lamifringiid  x,  d yl, 

50)  i'^xXgophtr  X - if  at  a X then  u else  gophir  aa  x . [da  x . d x]). 

We  shall  not  give  full  proofs  but  nwrely  the  induction  predicates  and  a few  Indications  of 
the  algebraic  transformations.  We  begin  with  a lemma  about  gophir. 

51)  (Vx  yXispair  gephirlx, yj  a atom  a gephirtx.y]  a fringi  gophitix.yj  - fringHx. yj). 
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This  kmma  can  be  proved  by  S-expression  structural  induction  on  x using  the  predicate 
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52)  ♦(*)  ■ {'^y'Klspair  gophtrlx.y]  /\  atom  a gophtr[x.y)  a fringt  gopher[x.y]  - fringe[x .y]). 

In  the  course  of  the  proof,  we  use  the  associativity  of  * and  the  forntula 
/ringelx.y}  •fringt  x » fringe  y.  The  lemma  was  expressed  using  gophtr[x.y}  in  order  to  avoid 
considering  atomic  arguments  for  gopher,  but  it  could  have  equally  well  be  proved  about  gopher  x 
with  the  condition  -\atom  x. 

For  our  proof  about  samefringt  we  need  one  more  lemma  about  gopher,  namely 

53)  (Vx  yY,sitt  gophtrix.y]  - jizHx.y). 

This  can  be  proved  by  S-expression  induction  on  x separately  or  as  a part  of  the  above 
lemma  by  including  size  gophtr[x.y\  - iizr[x.y]  as  a conjunct  in  (51)  and  (52). 

The  statement  about  samefringt  is 

54)  (Vx  yXissexp  samefringe[x,y]  a samtfringt{x,y)  - T • fringt  x - fringe  y), 
and  it  is  most  easily  proved  by  induction  on  size  x * size  y using  the  predicate 

55)  ♦(?!)  ■ (Vx  yXn  • size  x ♦ size  y a 

issexp  samefringelx,  yj  a (samef ringelx,  yj  •T  m fringt  x - fringt  y)). 

It  can  also  be  proved  using  the  well-foundedness  of  lexicographic  ordering  of  the  list  <x,  a x>, 
but  then  we  must  decide  what  lexicographic  orderings  to  include  in  our  axiom  system. 

Transfinite  induction  is  also  useful,  and  can  be  illustrated  with  a variant  samefringt  that 
does  everything  in  one  compiKated  recursive  definition,  namely 

56)  samef  ringelx,  y]  *- 

(x  t(fuai  y)  or 

not  at  X and  not  at  y and 

if  at  a X llien  [if  at  a y then  a x equal  a y and  samefringt{6  x,  d y] 
else samefringelx,  aay  . [day  . d y]]] 
else  samefringtlaa  x . [da  x .d  x],  yl 

The  transfinite  induction  predicate  then  has  the  form 

57)  ♦(n)  ■ (Vx  y)(n  • U(stze  x ♦ sizey)  ♦ size  a x + size  ayo 

issexp  samtfringe(x,yj  a (samefringelx,  yJ  - T ■ fringe  x - fringe  y)l 

We  would  like  to  prove  that  the  amount  of  storage  used  in  the  computation  of 
samefringelx,  yJ  aside  from  that  occupied  by  x and  y,  never  exceeds  the  sum  of  the  numbers  of 
cart  required  to  reach  corresportding  atoms  in  x and  y.  Unfortunately,  we  can't  even  expreu  that 
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fact,  because  we  are  axlomattting  the  programs  as  functions,  and  the  aiTraunt  of  storage  used  does 
not  depend  merely  on  the  function  being  computed:  it  depends  on  the  method  of  computation. 
We  may  regard  such  things  as  intemiend  properties,  but  any  correspondence  with  the  notion  of 
intensional  properties  in  intensional  logic  remains  to  be  established.  Many  such  intenslonal 
properties  of  a program  are  extensional  properties  of  certain  "derived  programs”,  and  some  are 
even  extensional  properties  of  the  functional  r. 


9.  The  Minimisation  Schema. 

The  functional  equation  of  a program  doesn't  completely  characterise  it.  For  example,  the 
program 

M)  /I  X «-  /I  X 

leads  to  the  sentence 

59)  (Vx)</-|  X-/I  x) 

which  provides  no  information  although  the  function  /I  Is  undefined  for  all  x.  This  is  not  always 
the  case,  since  the  program 

60)  /2x4-(/2x).NIL 
has  the  functional  equation 

61)  (Vx)V2x-(/2x).NIL). 

from  which  (Vx)^/^^exp /2(x)  can  be  proved  by  induction. 

In  order  to  characterise  recursive  programs,  we  need  some  way  of  asking  for  the  least 
defined  solution  of  the  functional  equation. 

Suppose  the  program  is 

62)  yfx.j»)«-T[/Kx.y) 
yielding  the  functional  equation 

63)  (Vxy)(^x.y)-f(/](x.y). 

The  minlmlxallon  schma  is  then 

64)  (VxXTt^Kx)  E 4(x))  o (Vx)^x)  E Hx)). 


in  the  case  of  Apptnd  we  have 
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65)  (Vu  vX4(u,  v)  3 if  n u then  v else  a u . ^(d  u,  v))  a (Vu  vX^(u.  v)  s u*v). 

In  the  schema  ^ is  a free  function  variable  of  the  appropriate  number  of  arguntents.  The 
schema  Is  Just  a translation  into  first  order  logic  of  Park's  (1970)  theorem. 

66)  ^ aXlTl 

Here  y Is  the  least  fixed  point  operator. 

[Note  that  this  theorem  is  a generalization  to  continuous  functionals  of  the  second  part  of  Kleene's 
first  rescursion  theorem  (Kieene  1952)1 

The  simplest  application  of  the  Khema  Is  to  show  that  the  /I  defined  by  (58)  is  never  an  S- 
expression.  The  schema  becomes 

67)  (VxX^  X a ^ x)  3 (VxX^  x a /I  x), 
and  we  take 

68)  ^ X . 1. 

The  left  side  of  (67)  is  identically  true,  and,  remembering  that  1 Is  not  an  S-expression,  the  right 
side  tells  us  that  /I  x is  never  an  S-expression. 

The  minimization  schema  can  sometimes  be  used  to  show  partial  correctness.  For  example, 
the  well  known  91-functlon  is  defined  by  the  recursive  program  over  the  Integers 

69)  /9I  X «-  if  X grtaltr  100  then  x - 10  else /9I  /9l(x  ♦ 1 1). 

The  goal  is  to  show  that 

70)  (Vx)(/9I  X - /F  X > 100  THEN  x - 10  ELSE  91). 

We  apply  the  minimization  schema  with 

71)  # X «-  if  X grtaltr  100  then  x - 10  else  91, 

and  It  can  be  shown  by  an  explicit  calculation  without  induction  that  the  premiss  of  the  schema  is 
satisfied,  and  this  shows  that  ^1,  whenever  defined  has  the  desired  value. 

The  method  of  recursion  induction  (McCarthy  1963)  Is  also  an  Immediate  application  of  the 
minimization  schema,  if  we  show  that  two  functions  satisfy  the  Khema  of  a recursive  program, 
we  show  that  they  both  equal  the  function  computed  by  the  program  on  wherever  the  function  Is 
defined. 

The  utility  of  the  minimization  Khema  for  proving  partial  correctneu  or  non-termination 
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depends  on  our  ability  to  name  suitable  comparison  functions,  fl  and  f9l  were  easily  treated, 
because  the  necessary  comparison  functions  could  be  given  explicitly  without  recursion.  Any 
extension  of  the  language  that  provides  new  tools  for  naming  comparison  functions,  e.g.  going  to 
higher  order  logic,  will  improve  our  ability  to  use  the  Khema  in  proofs. 


10.  Derived  Programs  and  Complete  Recursive  Programs. 

The  methods  considered  so  far  in  this  paper  concern  txtensional  properties  of  programs,  i.e. 
properties  of  the  function  computed  by  the  program.  The  following  are  not  extensional 
properties:  the  number  of  times  a certain  function  is  evaluated  in  executing  the  program  including 
as  a special  case  the  number  of  recursions,  the  maximum  depth  of  recursion,  and  the  maximum 
amount  of  storage  used.  Some  of  these  properties  depend  on  whether  the  program  is  executed 
call-by-name  or  call-by-value,  while  others  are  extensional  properties  of  the  functional  of  the 
program. 

Many  of  these  initnsional  properties  of  a program  are  extensional  properties  of  related 
programs  called  dtrivtd  programs.  For  example,  the  number  of  tons  operations  done  by  Append 
can  be  computed  by  a program  of  the  same  recursive  structure,  namely 

72)  ncappendlu,  v]  if  n u then  0 else  I * neapf/endld  u,  ol 
If  we  define  flat  by 

73)  ftal[x,  u]  if  at  X then  x.u  else  flatla  x./lat[d  x uJl 
then  the  number  of  recursions  done  by  flat  is  given  by 

74)  nrflat[x,  u]  if  at  x then  I else  I * nrflatla  x,flat[d  x,  u]}  4 nrflat[d  x,  u], 

noticing  that  nrflal  is  mutually  recursive  with  flat  itself.  The  maximum  depth  of  recursion  of  the 
9 1 -function  is  given  by 

75)  d/91  n ♦-  I + If  n greater  100  then  0 else  max(df9l(n  * 1 1),  d/9l(/fx  + 1 1))). 

Morris  (1968)  discussed  a derived  function  that  gives  successive  approximations  of  bounded 
recursion  depth  to  a recursive  function  by  modifying  the  definition  to  take  a ’rationed”  number  of 
allowed  recursions.  For  append  we  would  have 

76)  append\[n,u,v]  r- 

If  n equal  0 then  i else  If  n u then  v else  a u . appendlln  - I , d u,  v]. 

Thus  appendlln,  u,  v]  computes  u«v  but  with  a ration  of  n recursions.  If  the  computation  would 
require  more  than  n recursions,  the  value  is  i,  i.e.  is  undefined. 
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I We  can  give  a general  rule  for  the  rationed  recursion  function.  Suppose  that  T Is  a 

program  for  the  function /(x.y). 

/>./(*.>) -rt/Kx.,) 

Then 

C(P):  g(n,x,y) «-  f '{gXn.x.jr) 
where 

77)  T '[^3  ■ (Xn  X jrKlf  n tqual  0 then  1 else  f ((X  x j)^(n- 1 , x,  y)J  {x,y)) 


is  a program  for  the  rationed  recursion  function  gfn.x.jp).  In  this  case,  the  functional  for  the 
derived  function  is  expressed  by  a formula  in  the  functional  for  the  original  function.  This  can’t 
always  be  done. 

We  can  use  the  rationed  recursion  function  as  an  alternate  to  the  mlnlmiztlon  schema  for 
completing  the  characterization  of  /p.  Namely  we  have 

78)  (Vx  yXlsD  /p(x.y)  . OnKisD  /c(P)(x.y))). 

and  whether  /c(P)(*.y)  Is  defined  for  given  arguments  is  determined  by  its  functional  equation, 
because  C(P)  is  what  (Cartwright  1978)  calls  a complete  recursive  program. 

A recursive  program  P is  called  complete  if  its  functional  fp  has  only  one  fixed  point  /p. 
Since  the  minimization  schema  Is  used  for  distinguishing  the  least  fixed  point,  it  is  redundant  for 
complete  programs.  The  Idea  of  complete  recursive  program  was  first  advanced  In  (Cartwright 
1978)  as  an  alternative  to  the  minimization  Khema  for  completing  the  characterization  of  the 
function  computed  by  a program.  The  idea  was  to  compute  the  computation  sequence  of  a 
program  P with  a related  compute  recursive  program  C(P)  and  to  show  metamathematically  that 
for  any  program 

79)  (VxXflx)  - last  /c(p,(x) 

where  /c(p)  is  the  function  computed  by  C{P),  and  last  is  a function  giving  the  last  element  of  a 
list  - in  this  case  the  list  of  values  of  / arising  in  the  computation.  Since  whether  C(P)  terminates 
for  given  arguments  follows  from  its  functional  equation,  (79)  allows  us  to  establish  this  for  P 
Itself.  The  constructions  of  (Cartwright  1978)  were  somewhat  Involved  and  differed  substantially 
according  to  whether  the  original  program  was  executed  call-by-nan>e  or  call-by-value. 

The  derived  programs  that  give  the  number  of  recursions  are  complete  so  that  nr/foZ  as 
defined  above  satisfies 

80)  (Vx  uXlslnt  nrflatix,  u3  ■ Issexp  flat[x,  uj). 


A program  for  th«  number  of  recursions  done  when  a program  Is  evaluated  call-by-name 
can  also  be  given.  Thus  the  number  of  recursions  done  In  evaluating  morrhlm,  nj  call-by-name 
is  given  by  cmorrlsLm,  0,  n,  0]  where 

81)  cf>forris[m,em,fi,eyi]*- 

] + cm  * if  m equal  0 then  0elsecmorrlsltm-l,0,morr<s(m,n],cmorrls[m,0,n,cn]]. 

The  idea  is  that  the  arguments  cm  and  cn  are  the  numbers  of  recursive  calls  involved  in 
evaluating  m and  n respectively,  morris  and  cmorris  are  again  equl-termlnating. 


II.  Proof  Methods  as  Axiom  Schemata 

Representing  recursive  definitions  in  first  order  logic  permits  us  to  express  some  well  known 
methods  for  proving  partial  correctness  as  axiom  Khemata  of  first  order  logic. 

For  example,  suppose  we  want  to  prove  that  if  the  input  x of  a function  / defined  by 

82)  / X *-  If  p X then  x else  /Ax 

satisfies  ^(x),  then  if  the  function  terminates,  the  output /(x)  will  satisfy  ^(x,/{x)).  We  appeal  to 
the  following  axiom  schema  of  Inductive  assertions: 

83)  (yxX*(x)  D q(x,x))  r\(yx  yXq(x,y)  o if  p x then  ♦(x,y)  else  fl(x.  Ay)) 

3 (VxX*(x)  A Isf)  / X 3 ♦(x,/  x)) 


where  isD  / x is  the  assertion  that/lx)  is  in  the  nominal  range  of  the  function  definition,  I.e.  is  an 
Integer  or  an  S-expresslon  as  the  case  may  be,  and  asserts  that  the  computation  terminates.  In 
order  to  use  the  schema,  we  must  invent  a suitable  predicate  q(x,y),  and  this  is  precisely  the 
method  of  Inductive  assertions.  The  schema  Is  valid  for  all  predicates  #,  1',  and  q,  and  a similar 
schema  can  be  written  for  any  collection  of  mutually  recursive  definitions  that  is  iterative. 

The  method  of  subgoal  induction  for  recursive  programs  was  Introduced  in  (Manna  and 
Pnueli  1970),  but  they  didn't  give  it  a name.  Morris  and  Wegbrelt  (1977)  nanre  it,  extend  it 
somewhat,  and  apply  it  to  Algol-like  programs.  Unlike  inductive  assertions,  it  isn’t  limited  to 
iterative  definitions.  Thus,  for  the  recursive  program 

84)  /s  X «-  if  p X then  A x else  gi  /j  g2  x, 
where  p is  assumed  total,  we  have 

85)  (VxXp  X 3 9(x.  A x))  A (Vx  *X‘'P(x)  a q(g!2  x,  *)  3 q{x,  gl  *))  a (VxX#(x)  a qfx,  t)  a ♦(x,  *)) 

3 (VxX*(x)  A isD{/{x))  3 ♦(x,/(x))) 


We  can  express  Chese  methods  as  axiom  schemata,  because  we  have  the  predicate  isD  to 
express  termination.  The  minimization  schema  itself  can  be  proved  by  subgoal  induction.  We 
need  only  take  *(x)  ■ true  and  ♦(x.y)  • (j  - ♦(x))  and  g(x,y)  • ^ - ♦(x)). 

General  rules  for  going  from  a recursive  program  to  what  amounts  to  the  subgoal  induction 
schema  are  given  in  (Manna  and  Pnueli  1970)  and  (Morris  and  Wegbreit  1977);  we  need  only  add 
a conclusion  involving  the  IsD  predicate  to  the  Manna's  and  Pnueli  formula  Wp. 

However,  we  can  characterize  subgoal  induction  as  an  axiom  schema.  Namely,  we  define 
r '[f]  as  an  extension  of  T mapping  relations  into  relations.  Thus  If 

86)  rl/Xx)  - if  ^ X then  A x else  gl  / g2  x, 
we  have 

87)  T '(^Xx,  j)  ■ If  p X then  (y  • A x)  else  3z.(^g2  x,  z)  y - gl  z). 

In  general  we  have 

88)  (VxyXT'[^Xx,y)  3 fl(x,y))  3 (VxKijD/x  3 9(x,/x)), 

from  which  the  subgoal  induction  rule  follows  immediately  given  the  properties  of  ♦ and  ♦.  1 
am  indebted  to  Wolfgang  Polak  (oral  communication)  for  help  in  elucidating  this  relationship. 

WARNING:  The  rest  of  this  section  is  somewhat  conjectural.  There  may  be  bugs. 

The  extension  T '(f)  can  be  determined  as  follows.  Introduce  Into  the  logic  the  notion  of  a 
mtM-frrm  which  is  formed  in  the  same  way  as  a term  but  allows  relations  written  as  functions. 

For  the  present  we  won’t  interpret  them  but  merely  give  rules  for  introducing  them  and 
subsequently  eliminating  them  again  to  get  an  ordinary  formula.  Thus  we  will  write  q<e>  where  e 
is  any  term  or  multi-term.  We  then  form  exactly  in  the  same  way  T{/)  was  formed.  Thus 
for  the  91-functlon  we  have 

89)  r '(^Xx)  - if  x>IOO  then  x-IO  else  ^<g<X'»l  l>>.  i 

The  pointy  brackets  indicate  that  we  are  ‘applying*  a relation.  We  now  evaluate  f 'IgXx.y)  I 

formally  as  follows: 

90)  T'(yXx,y)  ■ (If  x>IOO  then  x-IO  else  g<fl<x*ll»Xy) 

■ if  x>100  then  y - x-IO  else  9(g<x*l  l>.y) 

■ If  x>IOO  then  y - x-IO  else  3z.(^x4||,z)  a ffz.y)). 

Thu  last  formula  has  no  pointy  brackets  and  is  Just  the  formula  that  would  be  obtained  by 
Manna  and  Pnueli  or  Morris  and  Wegbreit.  The  rules  are  as  follows: 

(i)  r 't^Xx)  is  Just  like  f ^/Xx)  except  that  f replaces  / and  takes  Its  arguments  In  pointy  ' 

brackets. 
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(li)  an  ordinary  term  t applied  to  y becomes  y • *. 

(Hi)  q<tAy)  becomes  q(*,y). 

(Iv)  P{q<*>)  becomes  3z.^#,  ()  a P(z)  when  P{q<t>)  occurs  positively  in  r'(fX*,jt)  and 
becomes  Vz.^e,  z)  a P(z)  when  the  occurrence  is  negatve.  It  Is  not  evident  whether  an 
independent  semantics  can  be  given  to  muki-terms. 


12.  Representations  Using  finite  Approximations. 

Our  second  approach  to  representing  recursive  programs  by  first  order  formulas  goes  back 
to  Codel  (1931,  1934)  who  showed  that  primitive  recursive  functions  could  be  so  represented. 
(Our  knowledge  of  Codel's  work  comes  from  (Kleene  1952)). 

Kleene  (1952)  calls  a partial  function  / uputtniMt  If  there  is  an  arithmetic  formula  A 
with  free  variables  x and  y such  that 

91)  (VxyX(y-/(x))->I). 

where  an  arithmetic  formula  Is  built  up  from  integer  constants  and  variables  using  only  addition, 
multiplication  and  bounded  quantification.  Kleene  showed  that  all  partial  recursive  functions  are 
representable.  The  proof  involves  Cbdel  numbering  possible  computation  sequences  and  showing 
that  the  relation  between  sequences  and  their  elemmts  and  the  steps  of  the  computation  are  all 
representable. 

In  Lisp  less  machinery  is  needed,  because  sequences  are  Lisp  data,  qnd  the  relation  between 
a sequence  and  its  elemenu  is  given  by  basic  Lisp  functions  and  by  the  axiomatized  in  section 

6 by 

92)  (Vu  i>Ku  V a (u  - v)  V inu/f  v a u d o). 

Starting  with  and  the  basic  Lisp  functions  and  predicates  we  will  define  other  Lisp 
predicates  without  recursion. 

First  we  define  the  well  known  Lisp  function  asscc  whose  usual  recursive  definition  is 

93)  assoclx,  w)  *-  if  n w then  NIL  else  If  x equal  aa  • then  a w else  assocfx.  d w) 
or  non-recursively 

94)  {iyXy  > aijM(x,  w]  m (VuXu  w a aa  u a x)  a ji  ■ NIL 

I i - V (3uXu  s^wAXoaauAjaau 

I A (VvX*  w A u * a aa  » a x)) 


4 i 

I 
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Now  suppose  that 

95)  fx^r\fkx) 

it  a recursive  program.  I.e.  f is  a continuous  functional.  Our  non-recursive  definition  of  / uses 
finite  approximations  to  /,  i.e.  lists  of  pairs  of  (x  . f(x)),  where  each  pair  can  be  computed  from 
the  functional  r using  only  the  pairs  that  follow  It  on  the  list.  Thus  we  define 

96)  e*(rXw)«- 

n w or 

da  w - r[(XxXif  n aj50<;[x,  d w}  then  i else  d asscclx,  d w])Xaa  •)  and  oik[r  Xd  m), 
or  non-recursively 

97)  (VwXo*[tXw)« 

(VttXu 

Inu//  u V da  u - r[(XxXif  n assoclx,  d u]  then  i else  d ossodx,  d u])Xaa  u)])) 
Now  we  can  define  y - /(x)  in  terms  of  the  existence  of  a suitable  m,  namely 

98)  (Vx  yXy  - /(x)  m 

OwXoklrXiv)  Ay  • r[(>xX>f  n assoc[x,  w]  then  i else  d assoclx,  wJ)Xx))) 

It  might  be  asked  whether  is  necessary.  Couldn’t  we  represent  recursive  programs  using 

Just  car,  cdr,  cons  and  afom?  No,  for  the  following  reason.  Suppose  that  the  function  / is 
representable  using  only  the  basic  Lisp  functions  without  and  consider  the  sentence 

99)  (\/xXissexp /lx)), 

asserting  the  totality  of  /.  Using  the  representation,  we  can  write  (99)  as  a sentence  involving  only 
the  basic  Lisp  functions  and  the  constant  i..  However,  Oppen  (1978)  has  shown  that  these 
sentences  are  decideable,  and  totality  isn't. 

In  case  of  functions  of  several  variables,  (98)  corresponds  to  a call-by-value  computation 
rule  while  the  representations  of  the  previous  sections  correspond  to  call-by-name  or  other  "safe" 
rules.  Treating  call-by-name  similarly  requires  a definition  of  ok  in  which  some  of  the  tuplets 
have  some  missing  elements. 

Note;  Our  original  intention  was  to  take  $5  as  bask,  but  curiously,  we  have  not  succeeded  in 
defining  non-recursively  In  terms  of  $3,  although  the  converse  is  a consequence  of  our  general 
construction. 
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IS.  Questions  of  Incompleteness. 

Luckham,  Park  and  Paterson  (1970)  have  shown  that  whether  a program  schema  diverges 
for  every  interpretation,  whether  it  diverges  for  some  Interpretation,  and  whether  two  program 
schemas  are  e()ui valent  are  all  not  even  partially  solvable  problems.  Manna  (1974)  has  a 
thorough  discussion  of  these  points.  In  view  of  these  results,  what  can  be  expected  from  our  first 
order  representations? 

First  let  us  construct  a Lisp  computation  that  does  not  terminate,  but  whose  non-termination 
cannot  be  proved  from  the  axioms  Lisp  I within  first  order  logic.  We  need  only  program  a proof- 
checker  for  first  order  logic,  set  it  to  generate  all  possible  proofs  starting  with  the  axioms  Lisp  I, 
and  stop  when  It  finds  a proof  of  (NIL  v NIL)  or  some  other  contradiction.  Assuming  the  axioms 
are  consistent,  the  program  will  never  find  such  a proof  and  will  never  stop.  In  fact,  proving  that 
the  program  will  never  stop  is  precisely  proving  that  the  axioms  are  consistent.  But  Godel's 
theorem  asserts  that  axiom  systems  like  Lisp  I cannot  be  proved  consistent  within  themselves. 
Until  recently,  all  the  known  cases  of  sentences  of  Peano  arithmetic  unprovable  within  Peano 
arithmetic  involved  such  an  appeal  to  Godel's  theorem  or  similar  unsolvability  arguments. 
However,  Paris  and  Harrington  (1977)  found  a form  of  Ramsey's  theorem  a well-known 
combinatorial  theorem,  that  could  be  proved  unprovable  In  Peano  arithmetic.  However,’  their 
proot  of  its  unprovability  involved  showing  that  it  implied  the  consistency  of  Peano  arithmetic. 

We  can  presumably  prove  Lisp  I consistent  Just  as  Centzen  proved  arithmetic  consistent  - 
by  introducing  a new  axiom  schema  that  allows  Induction  up  to  the  transfinite  ordinal  (q. 
Proving  the  new  system  consistent  would  require  induction  up  to  a still  higher  ordinal,  etc. 

Since  every  recursively  defined  function  can  be  defined  explicitly,  any  sentence  involving 
such  functions  can  be  replaced  by  an  equivalent  sentence  Involving  only  and  the  basic  Lisp 
functions.  The  theory  of  and  these  functions  has  a standard  model,  the  usual  S-expressions 

and  many  non-standard  models.  We  "construct"  non-standard  models  In  the  usual  way  by 
appealing  to  the  theorem  that  if  every  finite  subset  of  a set  5 of  sentences  of  first  order  logic  has  a 

model,  then  5 has  a model.  For  example,  take  5 - {NIL  x,  (A)  x,  (A  A)  x 

Indefinitely).  Every  finite  subset  of  5 has  a model;  we  need  only  take  x to  be  the  longest  list  of 
A’s  occurring  in  the  sentences.  Hence  there  is  a model  of  the  Lisp  axioms  in  which  x has  all  lists 
of  A's  as  subexpressions.  No  sentence  true  in  the  standard  model  and  false  in  such  a model  can 
be  proved  from  the  axioms.  However,  It  is  necessary  to  be  careful  about  the  meaning  of 
termination  of  a function,  in  fact,  taking  successive  cdrs  of  such  an  x would  never  terminate,  but 
the  sentence  whose  standarH  inter pretatUm  is  termination  of  the  computation  is  provable  from 
Lisp  I . 


The  practical  question  is:  where  does  the  correctness  of  ordinary  programs  come  in?  It 
seems  likely  that  such  statements  will  be  provable  with  our  original  system  of  axioms.  It  doesn't 
follow  that  the  system  Lisp)  will  permit  convenient  proofs,  but  probably  It  will.  Some  heuristic 
evidence  for  this  comes  from  (Cohen  1965).  Cohen  presents  two  systems  of  axiomatited  arithmetic 
Zl  and  Z2.  Zl  is  ordinary  Peano  arithmetic  with  an  axiom  Khema  of  induction,  and  Z2  Is  an 
a xiomati cation  of  hereditarily  finite  sett  of  integers.  Superficially,  Z2  is  more  powerful  than  Zl, 
but  because  the  set  operations  of  Z2  can  be  represented  In  Z I as  functlont  on  the  Code!  numbers 
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of  thf  sets,  it  turns  out  that  Zl  is  just  as  powerful  once  the  necessary  machinery  has  been 
established.  Because  sets  and  lists  are  the  basic  data  of  LispI,  and  sets  are  easily  represented,  the 
power  of  LispI  will  be  approximately  that  of  Z2,  and  convenient  proofs  of  correctness  statements 
should  be  possible.  Moreover,  since  LispI  is  a first  order  theory,  it  is  easily  extended  with  axioms 
for  sets,  and  this  should  help  make  informal  proofs  easy  to  express. 

A PUB  source  of  Ihis  paper  is  available  on  disk  at  the  Stanford  Artificial  Intelligence  Laboratory  with 
the  file  name  FIRST[W79,JMC]. 
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